LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 12-12-2012, 12:18 AM   #31
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233

Quote:
Originally Posted by TobiSGD View Post
You are the first person ever that called me conservative. But if insisting on basic security principles is nowadays called conservative then maybe I should be called conservative.
Basic principles are basic, and standard/procedure-oriented. And even if you quote some popular principles it won't be enough. Time and accessibility would always be sacrificed.
Quote:
Actually no, basic security principles are not a matter of philosophy, they are a matter of fact.
I think you mean the details and not the choice of application.
Quote:
May I quote yourself?
You yourself state that you have not explored that topic, but now you believe that you have enough knowledge about it.
Not enough to give factual details but enough for me to stand what I believe. Not that I'm really going far as to really prove it. I already gave the concept. Prove it wrong if you want to prove me wrong.

Quote:
Luckily you are a very small percentage with this habits. Otherwise the Linux world would be as simple to target for malware developers as the Windows world was with XP.
Yeah right. Can you even tell how a malware would propagate that you could compare it to XP?

Quote:
Just for educational purpose, for anyone who is interested in what I am speaking about in my conservativeness : http://en.wikipedia.org/wiki/Princip...east_privilege
Like the way of chroot jailing and SELinux as I applied it to servers yes. Certainly it's already known widely. But security is not all about limiting access. Some methods are even more effective without sacrificing accessibility. Those you refer to are just basics.
 
Old 12-12-2012, 12:41 AM   #32
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,566
Blog Entries: 2

Rep: Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035
Quote:
Originally Posted by konsolebox View Post
Yeah right. Can you even tell how a malware would propagate that you could compare it to XP?
The main reason for the widespread deployment of malware on Windows XP was that the default user automatically had administrator priveleges. Any exploit for software facing the net (mail clients, browsers, chat clients, ...) had not to circumvent any restrictions to install and run itself on the machine. Why would you think that this is different on a Linux machine running the software exposed to the net as root?

Quote:
Not enough to give factual details but enough for me to stand what I believe. Not that I'm really going far as to really prove it. I already gave the concept. Prove it wrong if you want to prove me wrong.
So your concept, although you won't prove it, is good enough to compete with the concepts designed and proven by generations of security experts, although you admit that you have not researched this topic very deeply? That is interesting.
By the way, I don't have to prove you wrong, usually the burden of proof is on the one who makes the claims.
 
Old 12-12-2012, 12:52 AM   #33
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by TobiSGD View Post
The main reason for the widespread deployment of malware on Windows XP was that the default user automatically had administrator priveleges. Any exploit for software facing the net (mail clients, browsers, chat clients, ...) had not to circumvent any restrictions to install and run itself on the machine. Why would you think that this is different on a Linux machine running the software exposed to the net as root?
On Linux with root user running a vulnerable client of course it would be breached, but how would a breached client be able to breach another one? Can that affect a significant amount of distros which are also running as root that you could say that the effect is widespread? Of course you wouldn't think services are running as root as well.
Quote:
So your concept, although you won't prove it, is good enough to compete with the concepts designed and proven by generations of security experts, although you admit that you have not researched this topic very deeply? That is interesting.
By the way, I don't have to prove you wrong, usually the burden of proof is on the one who makes the claims.
It's not that I'm thinking that they're doing another method. Or do you mean they came up with a better solution? The two major possible designs are just obvious. One is separation by environment. Second is micro-control in every API service. And the latter was the one one I'm referring to as a hack.
 
Old 12-12-2012, 05:24 AM   #34
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,566
Blog Entries: 2

Rep: Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035
Quote:
Originally Posted by konsolebox View Post
On Linux with root user running a vulnerable client of course it would be breached, but how would a breached client be able to breach another one? Can that affect a significant amount of distros which are also running as root that you could say that the effect is widespread?
That is why I said that it is luck that only a small percentage of users have your usage habits. Otherwise we would have the same situation as XP.

Quote:
Of course you wouldn't think services are running as root as well.
Most are not, especially those that are offered to the net.

Quote:
And the latter was the one one I'm referring to as a hack.
Do I understand that right? You prefer a totally insecure system to one that uses a method you consider as hack?
 
Old 12-12-2012, 07:53 AM   #35
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by TobiSGD View Post
That is why I said that it is luck that only a small percentage of users have your usage habits. Otherwise we would have the same situation as XP.
Again, users in Linux running as root is not enough to give devastating damages as much as what happened to XP.
Quote:
Most are not, especially those that are offered to the net.
What I mean is that even if you favor running GUI as root, it's not necessary that services would follow as well.
Quote:
Do I understand that right? You prefer a totally insecure system to one that uses a method you consider as hack?
It's not always an insecure system for capable users with control. Insecurity is not even a question sometimes. The better way to put it is that I would prefer taking controlled and not-really-applicable risks than using those methods if I am to gain easier and less expensive accessibility.

The thing is that there are situations where being careful is not necessary, and there are also situations where being hacked as a normal user is just as damaging as being hacked as root.
 
Old 12-12-2012, 08:17 AM   #36
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,566
Blog Entries: 2

Rep: Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035
Quote:
Originally Posted by konsolebox View Post
Again, users in Linux running as root is not enough to give devastating damages as much as what happened to XP.
No, you would also need the developers to write exploits for it. which wouldn't take very long if all people would use your security scheme.

Quote:
What I mean is that even if you favor running GUI as root, it's not necessary that services would follow as well.
Services are usually not started by the GUI, so of course they would not be run as root because you choose to run the GUI with that user. But any application that you start from within the GUI will run as root in that case. You don't tell me that if you do admin tasks and have to look up some documentation on the net first logout of the root GUI, do your researches with a browser form an unprivileged account and then login back as root, just to finf out that the approach does not work and you have to do that procedure again?
Or do you start the browser as unprivileged user using one of the "hacks"?

Quote:
there are also situations where being hacked as a normal user is just as damaging as being hacked as root.
True, but if your normal user and root are one and the same this doesn't apply anymore, just because all situations are as damaging as being hacked as root. Just because there is the possibility that someone breaks a locked door the logical conclusion is not to don't use locks.
 
Old 12-12-2012, 09:00 AM   #37
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by TobiSGD View Post
No, you would also need the developers to write exploits for it. which wouldn't take very long if all people would use your security scheme.
Still after they had written those it still won't be enough to give that much damage. You're missing a crucial factor which can never appear in Linux as compared to XP. At least it can never be that close as how things are arranged.
Quote:
But any application that you start from within the GUI will run as root in that case.
Not always especially on services.
Quote:
You don't tell me that if you do admin tasks and have to look up some documentation on the net first logout of the root GUI, do your researches with a browser form an unprivileged account and then login back as root, just to finf out that the approach does not work and you have to do that procedure again?
Or do you start the browser as unprivileged user using one of the "hacks"?
Do you really think it's necessary to not run the browser as root? Are all source sites that dangerous, and if there are exploitive ones would they be even always effective against your own client? What's the significance of it if your browser cannot or will not be breached at all?
Quote:
True, but if your normal user and root are one and the same this doesn't apply anymore, just because all situations are as damaging as being hacked as root.
Just shows how closed your perception about the matter is that you wouldn't even think of other possibilities other than the obvious.
Quote:
Just because there is the possibility that someone breaks a locked door the logical conclusion is not to don't use locks.
If I am to make a reply I would answer the same answer again. I guess that concludes the difference of our beliefs. Again it's about the other benefits one would choose over unnecessary insecurity and indeed there are reasons as to use GUI as root compared to what you stated that I find absolutely conservative.
 
Old 12-12-2012, 09:32 AM   #38
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,566
Blog Entries: 2

Rep: Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035
Quote:
Originally Posted by konsolebox View Post
Still after they had written those it still won't be enough to give that much damage. You're missing a crucial factor which can never appear in Linux as compared to XP. At least it can never be that close as how things are arranged.
Instead of making vague statements, just come out with it directly: Why do you think that an successful attack against root on a Linux system would be less harmful or more restricted than a successful attack on a XP user with admin privileges.

Quote:
Not always especially on services.
As I stated before, services usually are not started from the GUI itself. I am talking about the applications that are running within the GUI, browser, chat-clent, VLC, whatever.

Quote:
Do you really think it's necessary to not run the browser as root?
No, i don't believe that. It is a fact that it exposes security risks to do that. This is a technical matter, not religion or philosophy, believes don't have a place here, knowledge has.

Quote:
Are all source sites that dangerous, and if there are exploitive ones would they be even always effective against your own client?
We had hacks in the last time against FreeBSD, against the kernel.org site and what not. You simply can't know which site may contain malicious code. regarding the client, nowadays most browsers are either based on Mozilla's engine, on the Webkit engine or are named Opera. What make you think that your browser is not attackable on that base?

Quote:
What's the significance of it if your browser cannot or will not be breached at all?
A browser that can not be breached must by definition be a browser without any flaw in design and implementation. Such a browser does not exist.

Quote:
Just shows how closed your perception about the matter is that you wouldn't even think of other possibilities other than the obvious.
Again, don't be vague, if you have something to say come out with it. I am open to anything that makes sense and it is possible to convince me.

Quote:
Again it's about the other benefits one would choose over unnecessary insecurity and indeed there are reasons as to use GUI as root compared to what you stated that I find absolutely conservative.
But you still did not come up with any good reason to use a GUI as root, besides laziness and a possibly slightly larger footprint of applications that are running as a different user in the GUI. Both reasons are not important enough to trade security in for them.

Last edited by TobiSGD; 12-12-2012 at 09:34 AM.
 
Old 12-12-2012, 10:18 AM   #39
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Quote:
Originally Posted by Zermelo View Post
(..) At what point do we say they take the responsibility? Whether people choose to do things out of laziness or lack of will-power, there comes a point that you give them the responsibility.
There is no such thing as granting or being granted responsibility: you either are or you are not. Everyone is responsible for their own systems but once a system shares a network it becomes responsible for its interaction with other systems. When an owner does not act responsibly that system becomes a potential risk. So advertise corruption, misconceptions, hell, even offer arguments of questionable relevance all you want.
In turn I'll just point out completely avoidable risks.
Cause and effect.
 
Old 12-12-2012, 11:49 AM   #40
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by TobiSGD View Post
Instead of making vague statements, just come out with it directly: Why do you think that an successful attack against root on a Linux system would be less harmful or more restricted than a successful attack on a XP user with admin privileges.
Just on the user's own system no there's no difference. What I had been trying to explain was how one malware could rapidly expand from client to client. It's only possible if it knows how to exploit many versions of client softwares varying from one Linux system to another. At least it would be not always as easy as compared to XP in which its own services itself are the ones which are vulnerable and that packages always have single source of builds. We haven't even considered how it would affect Linux systems that implement other security measures which are not based on the user.
Quote:
No, i don't believe that. It is a fact that it exposes security risks to do that. This is a technical matter, not religion or philosophy, believes don't have a place here, knowledge has.
It's not if you include the factor called smart probability.
Quote:
We had hacks in the last time against FreeBSD, against the kernel.org site and what not. You simply can't know which site may contain malicious code. regarding the client, nowadays most browsers are either based on Mozilla's engine, on the Webkit engine or are named Opera. What make you think that your browser is not attackable on that base?
Yes considered that but I don't think it could create a parasite that would infect my client - after all I run a natively compiled browser with not too common compile flags. Not to mention if I add more security implementations which are not user-based. I also doubt that malwares on servers stay long - at least not significantly often.
Quote:
A browser that can not be breached must by definition be a browser without any flaw in design and implementation. Such a browser does not exist.
If we measure as far as its plugins and flaws in script handling then browsers are vulnerable alright but those things rarely happen now. Most common effective methods for creating successful attacks against browsers are by buffer overlow exploits and the likes, but even them are no longer easy since software versions and builds vary from time to time. For someone like me who compiles my packages natively by default it's just unlikely. And how about other security measures like grsecurity, NX/PAX, hardened compiler, other kernel patches, etc. Thing is I've been running browsers as root for a long time already and I never had a problem. And I do from time to time give minimal assessment if my system is breached. I do consider the possible sneaky attempts if a malware would hide itself just in case you doubt that.

Quote:
Again, don't be vague, if you have something to say come out with it. I am open to anything that makes sense and it is possible to convince me.
Alright I'll give an example. If your documents are as good as or is more important than your easy-to-restore system would it even matter being root or not when they're breached? Let's assume that you're not on any network that there's a possibility that you would affect other users. Would you even say that users has to learn how to hide their often-accessed files somewhere in a filesystem with disarray and obscurification.
Quote:
But you still did not come up with any good reason to use a GUI as root
Well that's up to you. I've said enough.
Quote:
besides laziness and a possibly slightly larger footprint of applications that are running as a different user in the GUI. Both reasons are not important enough to trade security in for them.
Laziness is only laziness if the task in question is significant and/or necessary. And security is only significant if something is needed to be secured and is vulnerable. Those are my opinion for this context. And saying "You'll never know what's coming to you.", well that's already a choice as how you observed things.
 
Old 12-12-2012, 01:58 PM   #41
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,566
Blog Entries: 2

Rep: Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035
You have valid points when you compile your software yourself with an eye to security checks and hardening the system. This will in fact to some extent minimize the risks of possible attacks for your system. It is harder to break into your system, but not impossible, so you could get even better security with building another wall with running your system as user with the least necessary privileges.
As I see it we both have a different approach to security (although I still would not call insisting on the principles I pointed to earlier conservative) and we both have valid points in our approach. So discussing this endlessly will not bring any of us any further.

Let me go back to my sentence that initially started the discussion between us:
Quote:
There is absolutely no reason to run the GUI as root ever.
I will rephrase that to
Quote:
If someone has to ask how to run software as root then for that person it is most likely not reasonable to run the system as root, since there seems to be a lack of knowledge and experience in possible security risks and their implications.
This is unarguably the case most of the time when this question is asked on a forum and to those asking that question it should be made clear that it is a bad idea to run their specific systems as root, with an explanation why that is the case and a pointer to information about basic security principles.
 
Old 12-20-2013, 05:22 AM   #42
SinclairJ
LQ Newbie
 
Registered: Oct 2012
Posts: 6

Rep: Reputation: Disabled
run vlc player as root

Quote:
Originally Posted by Zermelo View Post

I just wanted to post a simpler way to run vlc as root without recompiling the source. You can open up the binary for ubunt it is found in /usr/bin/vlc, then find the string that matches "geteuid" and replace it with "getppid".

It's simple, quick, fast and works on the original binary, so there should be no issues.

It also works with various other programs.
Thanks its work for me.

Great POST
 
  


Reply

Tags
fedora


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
root account or user account arodlinux Suse/Novell 3 12-23-2008 08:59 PM
fedora 10 vlc cannot run as root me_logan Linux - Software 1 12-07-2008 04:45 PM
Why is my common account can't open Terminal in XFCE4 but root account? notsay Slackware 4 08-18-2007 11:29 PM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM
Firefox cannot run (start and exit within 2 secs) with root account davidas Linux - Software 5 04-08-2004 01:36 AM


All times are GMT -5. The time now is 02:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration